CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apple » Iphone Os : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
801 CVE-2014-4364 310 2014-09-18 2017-01-06
2.9
None Local Network Medium Not required Partial None None
The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash.
802 CVE-2014-4363 255 +Info 2014-09-18 2017-01-06
5.0
None Remote Low Not required Partial None None
Safari in Apple iOS before 8 does not properly restrict the autofilling of passwords in forms, which allows remote attackers to obtain sensitive information via (1) an http web site, (2) an https web site with an unacceptable X.509 certificate, or (3) an IFRAME element.
803 CVE-2014-4362 200 +Info 2014-09-18 2017-01-06
5.0
None Remote Low Not required Partial None None
The Sandbox Profiles implementation in Apple iOS before 8 does not properly restrict the third-party app sandbox profile, which allows attackers to obtain sensitive Apple ID information via a crafted app.
804 CVE-2014-4361 200 +Info 2014-09-18 2017-01-06
5.0
None Remote Low Not required Partial None None
The Home & Lock Screen subsystem in Apple iOS before 8 does not properly restrict the private API for app prominence, which allows attackers to determine the frontmost app by leveraging access to a crafted background app.
805 CVE-2014-4357 200 +Info 2014-09-18 2017-01-06
2.1
None Local Low Not required Partial None None
Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows attackers to obtain sensitive information by reading log data that was not intended to be present in a log.
806 CVE-2014-4356 200 +Info 2014-09-18 2017-01-06
2.1
None Local Low Not required Partial None None
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.
807 CVE-2014-4354 264 Bypass 2014-09-18 2017-01-06
5.8
None Local Network Low Not required Partial Partial Partial
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.
808 CVE-2014-4353 362 +Info 2014-09-18 2017-01-06
4.3
None Remote Medium Not required Partial None None
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.
809 CVE-2014-4352 310 +Info 2014-09-18 2017-01-06
2.1
None Local Low Not required Partial None None
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.
810 CVE-2014-3192 416 DoS 2014-10-08 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in the ProcessingInstruction::setXSLStyleSheet function in core/dom/ProcessingInstruction.cpp in the DOM implementation in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
811 CVE-2014-3187 79 XSS 2014-10-08 2014-10-08
6.8
None Remote Medium Not required Partial Partial Partial
Google Chrome before 37.0.2062.60 and 38.x before 38.0.2125.59 on iOS does not properly restrict processing of (1) facetime:// and (2) facetime-audio:// URLs, which allows remote attackers to obtain video and audio data from a device via a crafted web site.
812 CVE-2014-2019 264 Bypass 2014-02-18 2014-03-16
4.9
None Local Low Not required None Complete None
The iCloud subsystem in Apple iOS before 7.1 allows physically proximate attackers to bypass an intended password requirement, and turn off the Find My iPhone service or complete a Delete Account action and then associate this service with a different Apple ID account, by entering an arbitrary iCloud Account Password value and a blank iCloud Account Description value.
813 CVE-2014-1382 119 DoS Exec Code Overflow Mem. Corr. 2014-07-01 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
814 CVE-2014-1368 119 DoS Exec Code Overflow Mem. Corr. 2014-07-01 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
815 CVE-2014-1367 119 DoS Exec Code Overflow Mem. Corr. 2014-07-01 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
816 CVE-2014-1366 119 DoS Exec Code Overflow Mem. Corr. 2014-07-01 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
817 CVE-2014-1365 119 DoS Exec Code Overflow Mem. Corr. 2014-07-01 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
818 CVE-2014-1364 119 DoS Exec Code Overflow Mem. Corr. 2014-07-01 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
819 CVE-2014-1363 119 DoS Exec Code Overflow Mem. Corr. 2014-07-01 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
820 CVE-2014-1362 119 DoS Exec Code Overflow Mem. Corr. 2014-07-01 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
821 CVE-2014-1361 200 +Info 2014-07-01 2015-12-08
5.0
None Remote Low Not required Partial None None
Secure Transport in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 does not ensure that a DTLS message is accepted only for a DTLS connection, which allows remote attackers to obtain potentially sensitive information from uninitialized process memory by providing a DTLS message within a TLS connection.
822 CVE-2014-1360 20 Bypass 2014-07-01 2017-01-06
2.1
None Local Low Not required None Partial None
Lockdown in Apple iOS before 7.1.2 does not properly verify data from activation servers, which makes it easier for physically proximate attackers to bypass the Activation Lock protection mechanism via unspecified vectors.
823 CVE-2014-1359 189 Exec Code 2014-07-01 2015-12-08
10.0
None Remote Low Not required Complete Complete Complete
Integer underflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application.
824 CVE-2014-1358 189 Exec Code Overflow 2014-07-01 2015-12-08
10.0
None Remote Low Not required Complete Complete Complete
Integer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application.
825 CVE-2014-1357 119 Exec Code Overflow 2014-07-01 2015-12-08
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application that generates log messages.
826 CVE-2014-1356 119 Exec Code Overflow 2014-07-01 2015-12-08
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple OS X before 10.9.4, and Apple TV before 6.1.2 allows attackers to execute arbitrary code via a crafted application that sends IPC messages.
827 CVE-2014-1355 DoS 2014-07-01 2015-12-08
4.9
None Local Low Not required None None Complete
The IOKit implementation in the kernel in Apple iOS before 7.1.2 and Apple TV before 6.1.2, and in IOReporting in Apple OS X before 10.9.4, allows local users to cause a denial of service (NULL pointer dereference and reboot) via crafted API arguments.
828 CVE-2014-1354 399 DoS Exec Code 2014-07-01 2017-01-06
6.8
None Remote Medium Not required Partial Partial Partial
CoreGraphics in Apple iOS before 7.1.2 does not properly restrict allocation of stack memory for processing of XBM images, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted image data.
829 CVE-2014-1353 264 Bypass 2014-07-01 2017-01-06
3.6
None Local Low Not required Partial Partial None
Lock Screen in Apple iOS before 7.1.2 does not properly manage the telephony state in Airplane Mode, which allows physically proximate attackers to bypass the lock protection mechanism, and access a certain foreground application, via unspecified vectors.
830 CVE-2014-1352 264 2014-07-01 2017-01-06
1.9
None Local Medium Not required None Partial None
Lock Screen in Apple iOS before 7.1.2 does not properly enforce the limit on failed passcode attempts, which makes it easier for physically proximate attackers to conduct brute-force passcode-guessing attacks via unspecified vectors.
831 CVE-2014-1351 264 Bypass 2014-07-01 2017-01-06
3.6
None Local Low Not required Partial Partial None
Siri in Apple iOS before 7.1.2 allows physically proximate attackers to bypass an intended lock-screen passcode requirement, and read a contact list, via a Siri request that refers to a contact ambiguously.
832 CVE-2014-1350 264 Bypass 2014-07-01 2017-01-06
4.6
None Local Low Not required Partial Partial Partial
Settings in Apple iOS before 7.1.2 allows physically proximate attackers to bypass an intended iCloud password requirement, and turn off the Find My iPhone service, by leveraging incorrect state management.
833 CVE-2014-1349 DoS Exec Code 2014-07-01 2017-01-06
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in Safari in Apple iOS before 7.1.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an invalid URL.
834 CVE-2014-1348 310 +Info 2014-07-01 2017-01-06
2.1
None Local Low Not required Partial None None
Mail in Apple iOS before 7.1.2 advertises the availability of data protection for attachments but stores cleartext attachments under mobile/Library/Mail/, which makes it easier for physically proximate attackers to obtain sensitive information by mounting the data partition.
835 CVE-2014-1345 2014-07-01 2017-01-06
4.3
None Remote Medium Not required None Partial None
WebKit in Apple iOS before 7.1.2 and Apple Safari before 6.1.5 and 7.x before 7.0.5 does not properly encode domain names in URLs, which allows remote attackers to spoof the address bar via a crafted web site.
836 CVE-2014-1325 119 DoS Exec Code Overflow Mem. Corr. 2014-07-01 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
837 CVE-2014-1320 200 Bypass +Info 2014-04-23 2014-04-24
4.9
None Local Low Not required Complete None None
IOKit in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 places kernel pointers into an object data structure, which makes it easier for local users to bypass the ASLR protection mechanism by reading unspecified attributes of the object.
838 CVE-2014-1296 264 Bypass 2014-04-23 2014-04-23
4.3
None Remote Medium Not required Partial None None
CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction.
839 CVE-2014-1295 287 +Info 2014-04-23 2014-04-23
6.8
None Remote Medium Not required Partial Partial Partial
Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."
840 CVE-2014-1294 119 DoS Exec Code Overflow Mem. Corr. 2014-03-14 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, and CVE-2014-1293.
841 CVE-2014-1293 119 DoS Exec Code Overflow Mem. Corr. 2014-03-14 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, and CVE-2014-1294.
842 CVE-2014-1292 119 DoS Exec Code Overflow Mem. Corr. 2014-03-14 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1293, and CVE-2014-1294.
843 CVE-2014-1291 119 DoS Exec Code Overflow Mem. Corr. 2014-03-14 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294.
844 CVE-2014-1290 119 DoS Exec Code Overflow Mem. Corr. 2014-03-14 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294.
845 CVE-2014-1289 119 DoS Exec Code Overflow Mem. Corr. 2014-03-14 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294.
846 CVE-2014-1287 119 DoS Exec Code Overflow Mem. Corr. 2014-03-14 2014-03-14
7.2
None Local Low Not required Complete Complete Complete
USB Host in Apple iOS before 7.1 and Apple TV before 6.1 allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted USB messages.
847 CVE-2014-1286 DoS 2014-03-14 2014-03-14
5.0
None Remote Low Not required None None Partial
SpringBoard Lock Screen in Apple iOS before 7.1 allows remote attackers to cause a denial of service (lock-screen hang) by leveraging a state-management error.
848 CVE-2014-1285 264 Bypass 2014-03-14 2014-03-14
5.8
None Remote Medium Not required Partial Partial None
Springboard in Apple iOS before 7.1 allows physically proximate attackers to bypass intended access restrictions and read the home screen by leveraging an application crash during activation of an unactivated device.
849 CVE-2014-1282 264 Bypass 2014-03-14 2014-03-14
5.8
None Remote Medium Not required Partial Partial None
The Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 allows attackers to bypass intended configuration-profile visibility requirements via a long name.
850 CVE-2014-1281 264 2014-03-14 2014-03-14
1.9
None Local Medium Not required Partial None None
Photos Backend in Apple iOS before 7.1 does not properly manage the asset-library cache during deletions, which allows physically proximate attackers to obtain sensitive photo data by launching the Photos app and looking under a transparent image.
Total number of vulnerabilities : 1176   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 (This Page)18 19 20 21 22 23 24
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.